'Re: ongoing issue getting rssh with chroot working under RHEL5'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rssh-discuss
Subject:    Re: ongoing issue getting rssh with chroot working under RHEL5
From:       Marc Skinner <marc () e-skinner ! net>
Date:       2009-03-19 15:44:38
Message-ID: 49C26866.6070705 () e-skinner ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russ Allbery wrote:
> "Glyn Davies" <gdavies@skytv.co.nz> writes:
> 
>> Mar 18 04:44:56 crltc226 rssh_chroot_helper[3581]: chrooted to
>> /home/dummy
>> Mar 18 04:44:56 crltc226 rssh_chroot_helper[3581]: changing working
>> directory to / (inside jail)
>> Mar 18 04:44:56 crltc226 rssh_chroot_helper[3581]: execv() failed,
>> /usr/libexec/openssh/sftp-server: Permission denie
> 
> Is /usr/libexec/openssh/sftp-server inside the chroot executable?
> 

below is the script i used on CENTOS5.2 - which i know isn't technically
RHEL5.3 - but it is very close.

2 scripts

l2chroot.sh - determines what linked libraries need to be copied into
the chroot

mkchroot.sh - the main script, it calls l2chroot.sh for help on linked
libraries

both scripts do have a couple of variables hard coded in each of them at
the top, i was too lazy to do the proper argument checking etc, needed
for a robust command line version.  good luck!

=================================================================================

#l2chroot.sh

#!/bin/bash
# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
# jail server.
#
-
----------------------------------------------------------------------------
# Written by nixCraft <http://www.cyberciti.biz/tips/>
# (c) 2006 nixCraft under GNU GPL v2.0+
# + Added ld-linux support
# + Added error checking support
#
-
------------------------------------------------------------------------------
# See url for usage:
#
http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
#
-
-------------------------------------------------------------------------------
# Set CHROOT directory name
BASE="/LV3.BACKUP"

if [ $# -eq 0 ]; then
  echo "Syntax : $0 /path/to/executable"
  echo "Example: $0 /usr/bin/php5-cgi"
  exit 1
fi

[ ! $BASE ] && mkdir -p $BASE || :

# iggy ld-linux* file as it is not shared one
FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')"

echo "Copying shared files/libs to $BASE..."
for i in $FILES
do
  d="$(dirname $i)"
  [ ! -d $BASE$d ] && mkdir -p $BASE$d || :
  /bin/cp $i $BASE$d
done

# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
# get ld-linux full file location
sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')"
# now get sub-dir
sldlsubdir="$(dirname $sldl)"

if [ ! -f $BASE$sldl ];
then
  echo "Copying $sldl $BASE$sldlsubdir..."
  /bin/cp $sldl $BASE$sldlsubdir
else
  :
fi


=================================================================================

#mkchroot.sh

#!/bin/bash

BASE="LV3.BACKUP"
USERNAME="thesrc"

useradd -d /$BASE/BACKUP -s /usr/bin/rssh $USERNAME
mkdir -p /$BASE/{dev,etc,lib,usr,bin}
mkdir -p /$BASE/usr/bin
mkdir -p /$BASE/usr/libexec/openssh
mkdir -p /$BASE/BACKUP
chown $USERNAME.$USERNAME /$BASE/BACKUP

mknod -m 666 /$BASE/dev/null c 1 3

cd /$BASE/etc
cp /etc/ld.so.cache .
cp -avr /etc/ld.so.conf.d/ .
cp /etc/ld.so.conf .
cp /etc/nsswitch.conf .
cp /etc/hosts .
cp /etc/resolv.conf .
cat /etc/group | grep -e "root:x" -e $USERNAME > /$BASE/etc/group
cat /etc/passwd | grep -e "root:x" -e $USERNAME > /$BASE/etc/passwd

cd /$BASE/usr/bin
cp /usr/bin/scp .
cp /usr/bin/rssh .
cp /usr/bin/sftp .
cp /usr/bin/rsync .
cd /$BASE/usr/libexec/openssh
cp /usr/libexec/openssh/sftp-server .
cd /$BASE/usr/libexec
cp /usr/libexec/rssh_chroot_helper .

/root/l2chroot.sh /usr/bin/scp
/root/l2chroot.sh /usr/bin/rssh
/root/l2chroot.sh /usr/bin/sftp
/root/l2chroot.sh /usr/bin/rsync
/root/l2chroot.sh /usr/libexec/openssh/sftp-server

cp /lib64/libnss_files* /$BASE/lib64
rm -rf /$BASE/BACKUP/*.
rm -rf /$BASE/BACKUP/.*

=================================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknCaGYACgkQvE9HrEfeE4fZ5QCeKr+lhWOrAvYM2Yrqk3SR96rx
1sEAoLmMz+fZxuIFlzeCIo5LUxq7hW/L
=rMEW
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic